Red Sift - New email with URL from previously unseen source

Back


Id	6084dfd8-830b-4839-9a9c-5f08cc984729
Rulename	Red Sift - New email with URL from previously unseen source
Description	Detects email forensics events that contain one or more URLs where the sender is using a source IP address not seen in the previous 14 days, which may indicate suspicious infrastructure changes or phishing activity.
Severity	Medium
Tactics	InitialAccess
Techniques	T1566
Required data connectors	RedSiftPush
Kind	Scheduled
Query frequency	1h
Query period	14d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Red Sift/Analytic Rules/RedSiftEmailUrlFromNewSource.yaml
Version	1.0.0
Arm template	6084dfd8-830b-4839-9a9c-5f08cc984729.json

KQL

let lookback = 14d;
let recentWindow = 1h;
let historicalSources = RedSiftEmailForensics_CL
| extend
    EmailFrom = tostring(column_ifexists("EmailFrom", "")),
    SrcIp = tostring(column_ifexists("SrcIp", ""))
| where TimeGenerated between (ago(lookback) .. ago(recentWindow))
| where isnotempty(EmailFrom) and isnotempty(SrcIp)
| summarize by EmailFrom, SrcIp;
RedSiftEmailForensics_CL
| extend
    EmailFrom = tostring(column_ifexists("EmailFrom", "")),
    EmailSubject = tostring(column_ifexists("EmailSubject", "")),
    EmailReturnPath = tostring(column_ifexists("EmailReturnPath", "")),
    EmailMessageUid = tostring(column_ifexists("EmailMessageUid", "")),
    SrcIp = tostring(column_ifexists("SrcIp", "")),
    DstHostname = tostring(column_ifexists("DstHostname", "")),
    Severity = tostring(column_ifexists("Severity", "")),
    Message = tostring(column_ifexists("Message", "")),
    CorrelationUid = tostring(column_ifexists("CorrelationUid", "")),
    EmailUrls = todynamic(column_ifexists("EmailUrls", "[]"))
| where TimeGenerated >= ago(recentWindow)
| where isnotempty(EmailFrom) and isnotempty(SrcIp)
| extend UrlCount = array_length(EmailUrls)
| where UrlCount > 0
| mv-apply Url = EmailUrls on (
    summarize UrlSet = make_set(tostring(Url.url_string), 50)
  )
| extend UrlList = strcat_array(UrlSet, ", ")
| join kind=leftanti (historicalSources) on EmailFrom, SrcIp
| project
    TimeGenerated,
    EmailFrom,
    EmailSubject,
    EmailReturnPath,
    EmailMessageUid,
    SrcIp,
    DstHostname,
    UrlCount,
    UrlList,
    Severity,
    Message,
    CorrelationUid

YAML

relevantTechniques:
- T1566
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: EmailFrom
    identifier: FullName
- entityType: IP
  fieldMappings:
  - columnName: SrcIp
    identifier: Address
- entityType: DNS
  fieldMappings:
  - columnName: DstHostname
    identifier: DomainName
eventGroupingSettings:
  aggregationKind: AlertPerResult
version: 1.0.0
suppressionDuration: PT1H
id: 6084dfd8-830b-4839-9a9c-5f08cc984729
suppressionEnabled: false
severity: Medium
kind: Scheduled
queryFrequency: 1h
description: |
    'Detects email forensics events that contain one or more URLs where the sender is using a source IP address not seen in the previous 14 days, which may indicate suspicious infrastructure changes or phishing activity.'
requiredDataConnectors:
- connectorId: RedSiftPush
  dataTypes:
  - RedSiftEmailForensics_CL
triggerOperator: gt
name: Red Sift - New email with URL from previously unseen source
tactics:
- InitialAccess
alertDetailsOverride:
  alertDescriptionFormat: Email from {{EmailFrom}} contains {{UrlCount}} URL(s) and originated from previously unseen source IP {{SrcIp}}.
  alertDisplayNameFormat: RedSift - New URL-bearing email source for {{EmailFrom}}
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Red Sift/Analytic Rules/RedSiftEmailUrlFromNewSource.yaml
triggerThreshold: 0
queryPeriod: 14d
query: |
  let lookback = 14d;
  let recentWindow = 1h;
  let historicalSources = RedSiftEmailForensics_CL
  | extend
      EmailFrom = tostring(column_ifexists("EmailFrom", "")),
      SrcIp = tostring(column_ifexists("SrcIp", ""))
  | where TimeGenerated between (ago(lookback) .. ago(recentWindow))
  | where isnotempty(EmailFrom) and isnotempty(SrcIp)
  | summarize by EmailFrom, SrcIp;
  RedSiftEmailForensics_CL
  | extend
      EmailFrom = tostring(column_ifexists("EmailFrom", "")),
      EmailSubject = tostring(column_ifexists("EmailSubject", "")),
      EmailReturnPath = tostring(column_ifexists("EmailReturnPath", "")),
      EmailMessageUid = tostring(column_ifexists("EmailMessageUid", "")),
      SrcIp = tostring(column_ifexists("SrcIp", "")),
      DstHostname = tostring(column_ifexists("DstHostname", "")),
      Severity = tostring(column_ifexists("Severity", "")),
      Message = tostring(column_ifexists("Message", "")),
      CorrelationUid = tostring(column_ifexists("CorrelationUid", "")),
      EmailUrls = todynamic(column_ifexists("EmailUrls", "[]"))
  | where TimeGenerated >= ago(recentWindow)
  | where isnotempty(EmailFrom) and isnotempty(SrcIp)
  | extend UrlCount = array_length(EmailUrls)
  | where UrlCount > 0
  | mv-apply Url = EmailUrls on (
      summarize UrlSet = make_set(tostring(Url.url_string), 50)
    )
  | extend UrlList = strcat_array(UrlSet, ", ")
  | join kind=leftanti (historicalSources) on EmailFrom, SrcIp
  | project
      TimeGenerated,
      EmailFrom,
      EmailSubject,
      EmailReturnPath,
      EmailMessageUid,
      SrcIp,
      DstHostname,
      UrlCount,
      UrlList,
      Severity,
      Message,
      CorrelationUid  
status: Available
customDetails:
  ReturnPath: EmailReturnPath
  UrlCount: UrlCount
  CorrelationUid: CorrelationUid
  EmailSubject: EmailSubject
  UrlList: UrlList
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: Selected
    groupByEntities:
    - Account
    - IP
    groupByCustomDetails:
    - EmailSubject
    reopenClosedIncident: false
    enabled: true
    lookbackDuration: P1D

ARM